Detecting user approved MDM using the profiles command line tool on macOS 10.13.4

Starting in macOS 10.13.2, Apple introduced the concept of User Approved MDM Enrollment (UAMDM). UAMDM grants mobile device management (MDM) additional management privileges, beyond what is allowed for macOS MDM enrollments which have not been “user approved”. As of macOS 10.13.4, the only additional management privilege associated with UAMDM is that it allows you to deploy a profile which provides a white list for third-party kernel extensions. However, I would anticipate that this list will grow over time.

Starting in macOS 10.13.4, you can use the profiles command line tool to determine if a machine is enrolled into a MDM, and if user-approved MDM is enabled. To do this, run the command shown below:

profiles status -type enrollment

Depending on your MDM enrollment status, you may see one of the following statuses shown below:

Related

Alternative code below… essentially the same thing, but with a different way of checking the OS version. That is a common thing to need to do in extension attribute scripts, like for different versions of fdesetup, etc.

That’s functionally similar to the blog post, just with a different solution for figuring out what dot-version of the OS is running.

The advantage of this way is you can paste the functions into a script and then just say ‘osAtLeast “whatever” ‘. The advantage of the more traditional “nested if statements” way is that normal people can actually follow what the heck is going on.

Does this check the machine’s OS to see if it is in DEP or does it check via the internet if it is in DEP. (I buy and refurbish Macbook Pros and install a fresh OS on machines and it would be good to know if it’s in DEP before I sell them! Sometimes if it is in DEP it can take days before you get a DEP enrollment message)